Investigation: Upload Files From a Watched Folder

Document created by RSA Information Design and Development on Jul 28, 2016
Version 1Show Document
  • View in full screen mode

Security Analytics Malware Analysis watches a file share and automatically consumes files placed in specific folders in the file share. This feature is useful for:

  • Bulk import of hash files from /var/lib/rsamalware/spectrum/hashWatch.
  • Addition of custom YARA rules to the Indicators of Compromise (IOC) list on the host from /var/lib/rsamalware/spectrum/yara/watch.
  • Creation of on-demand scan jobs from a zip archive of infected zip files from /var/lib/rsamalware/spectrum/infectedZipWatch/watch.

Analysts need to prepare the files for consumption in accordance with requirements, the file extension must be correct, and the file must be copied to the correct watched folder in the file share.

Import a Hash List

To import a hash list from the watched directory, the hash list must be in the specified format and must be sorted on md5. The required format is described in the Configure Hash Filter topic in the Malware Analysis Configuration Guide.

You can drop such a formatted file into a folder (/var/lib/rsamalware/spectrum/hashWatch) on the Malware Analysis host, and it is automatically imported into the local hash database.

To import a hash list using the watched folder method:

  1. Copy the hash lists that you want to import into the /var/lib/rsamalware/spectrum/hashWatch directory.

    Security Analytics Malware Analysis automatically watches this folder and processes files placed there.

    1. Security Analytics Malware Analysis adds every hash found in the hash lists to the hash filter.
    2. If there are processing errors, they are logged in: /var/lib/rsamalware/spectrum/hashWatch/error
    3. Processed files are cataloged here: /var/lib/rsamalware/spectrum/hashWatch/processed
    4. Processed files are not removed from the hashWatch directory.
  2. After importing hashes in bulk, the System Administrator can use a cronjob to clean up old processed files.

Import YARA rules to the IOC List

Customers with advanced skills and knowledge can add detection capabilities to RSA Malware Analysis by authoring YARA rules and publishing them in RSA Live or placing YARA rules in a watched folder for the host to consume. Implement Custom YARA Content provides complete information on the prerequisites for using custom YARA content and authoring rules.

When the rules are ready, place the custom YARA files in the folder that the Malware Analysis service watches:
The file is consumed within one minute.
Once consumed, Security Analytics moves the file to the processed folder, and the new rule is added to the Malware Analysis Service Config view > Indicators of Compromise tab.


Import Files into the Scan Jobs List

When you obtain samples from perimeter security solutions and would like to perform further analysis on the files, you can zip the files and password protect the archive with infected, then add to the watched folder for consumption by Malware Analysis. This zipped archive is ready to be placed in the watched folder: /var/lib/rsamalware/spectrum/infectedZipWatch/watch.

Note: The maximum size of the archive is 100 MB.

To analyze infected, password-protected zip files, Malware Analysis consumes archives place in a watched folder and creates an on-demand job that is added to the Scan Jobs List.

  1. While logged on as administrator, place the files to be processed in a zip file with password infected at /var/lib/rsamalware/spectrum/infectedZipWatch/watch
    In a minute or two Malware Analysis consumes the archive and creates an on-demand job in the Scan Jobs List. The scan job name is the name of the file, the user is file share, and the Event Type is 1. The archive is moved to /var/lib/rsamalware/spectrum/infectedZipWatch/processed
  2. After the job is added to the Scan Job List, run a script or cronjob to clean up the zip file in /var/lib/rsamalware/spectrum/infectedZipWatch/processed.